VPN Setup in Ubuntu 9.10

VPN Setup in Ubuntu 9.10

Here's a synopsis of my VPN setups. I have proven this to work on both x86 and x64 for all 3 VPN types. Important note/disclaimer: I tested these configurations on VMware Workstation 7 VM's and a Dell Vostro 220. All installations were fresh installs, not upgrades. Also, please notice that I detail what type of firewall/VPN I am connecting to for each VPN type. There are so many variations on these VPN implementations that it is extremely difficult to generalize a known-good configuration for each.
Install various VPN components
PPTP
pptp-linux
network-manager-pptp
b. VPNC
vpnc
network-manager-vpnc

c. OpenConnect
openconnect
network-manager-openconnect
Reboot
PPTP VPN Configuration - This setup works for connecting to ISA 2004/2006 PPTP VPNs. It should work for connecting to MS PPTP VPN implementations in general. I can't speak for other PPTP VPN implementations.
Create new PPTP connection
VPN Tab Settings
Set Connection name
Set Gateway
Set username (for domain-based user accounts, use domain\username)
DO NOT SET PASSWORD
DO NOT SET NT DOMAIN
PPTP Advanced Options (Advanced button)
uncheck all auth methods EXCEPT MSCHAPv2
check "Use Point-to-Point encryption (MPPE)"
leave Security set at "All Available (Default)"
trying to force encryption level causes this option to become unset
check "Allow stateful inspection"
uncheck "Allow BSD Data Compression"
uncheck "Allow Deflate Data Compression"
uncheck "Use TCP Header Compression"
uncheck "Send PPP Echo Packets" (although connection works either checked or unchecked)
save configuration
b. Initial Connection attempt
enter password in login box
DO NOT check either password save box at this time
once connection establishes, verify remote connectivity - ping, rdp, ssh, etc.
disconnect VPN session
c. 2nd connection attempt
enter password in login box
check both password save option boxes
once again verify remote connectivity
disconnect VPN session
d. Subsequent connection attempts
VPN session should automatically connect using saved auth credentials
VPNC VPN Configuration - This setup works connecting to an ASA5510 - software version 8.2(1). I didn't have any other Cisco devices to test against.
Create new VPNC connection
set connection name
set Gateway
set Group Name
set User Password to "Saved" and enter password
set Group Password to "Saved" and enter password
set username
set domain (if applicable)
leave Encryption Method at "Secure (Default)"
set NAT traversal to "NAT-T"
save configuration
b. Initial Connection attempt
open VPNC connection
if prompted, select "Always Allow" if you want connection to be automatic
verify remote connectivity - ping, rdp, ssh, etc.
disconnect VPN session
c. Subsequent connection attempts
open VPNC connection - session should automatically connect

OpenConnect VPN Configuration - This setup works connecting to an ASA5510 - software version 8.2(1). I didn't have any other Cisco devices to test against.

Create new OpenConnect connection
set connection name
set Gateway
set Authentication type to "Password/SecurID"

no need to set username, OpenConnect won't store it yet
save configuration
b. Initial connection attempt
open VPN connection
check "Automatically start connecting next time"
click Close
you will get the "No Valid VPN Secrets" VPN failure message
c. 2nd connection attempt
open VPN connection
accept certificate (if prompted)
change Group (if necessary)
enter username (may need to be domain\username)
enter password
click Login
if VPN connection fails, see note below
verify remote connectivity - ping, rdp, ssh, etc.
disconnect session
d. Subsequent connection attempts
open VPN connection
enter password
session should connect

Note: If you get the "Login Failed" message, cancel and wait 15-30 minutes before attempting to connect again. Also, I ended up having to use the NT style domain\username pair for authentication, even though a Cisco AnyConnect client connecting to the same ASA only requires username.

More Detail: OpenConnect has been brutal to get connected. I got failed attempt after failed attempt. When I checked the NPS (IAS) log and the Security Event log on the W2K8 domain controller, I could see my user account authenticating properly via RADIUS from the ASA. Yet the OpenConnect client came back with a "Login Failed" message. I'm not an ASA expert, so I have no idea what to check in the ASA configuration to troubleshoot this problem, other than the basic AAA configuration. But I believe the problem lies in the ASA configuration because when I get the OpenConnect "Login Failed" message, the AnyConnect client from my Windows laptop fails as well. I think it may be a ridiculously short timeout or max failure setting. Whatever the issue is, I have to wait for some length of time (~15-30 minutes) for whatever the problem is to reset.

However, once I finally get the OpenConnect client to successfully connect, it worked from then on. (Just don't mess with the connection configuration, or you will get to go thru this whole process again.)